Method for establishing the authenticity of the identity of a service user and device for carrying out the method

ABSTRACT

The invention relates to a process and a device for establishing the authenticity of the identity of a service user relative to a service provider for release of an access authorization (password) for a service using two different data input terminals, a registration server and a message converter.

SPECIFICATION Type

[0001] The invention relates to a process for establishing theauthenticity of the identity of a service user relative to the serviceprovider for release of an access authorization (password) for aservice.

[0002] The invention furthermore relates to a device for executing theaforementioned process.

Prior Art

[0003] DE 197 18 103 A1 discloses a process and a device forauthorization in data transmission systems using a transaction number(TAN) or a comparable password. The known process calls for thefollowing:

[0004] The user in a first step sends via a data input device hisidentification and/or the identification character of the data inputdevice together with a request to generate or choose a TAN or comparablepassword from a data file to the authorization computer;

[0005] In a second step the authorization computer generates the TAN orcomparable password or chooses it from a file;

[0006] In the third step the authorization computer sends the TAN orcomparable password via a transmission path other than in step 1 to thereceiver;

[0007] In a fourth step the user accepts this TAN or comparable passwordfrom the receiver and inputs it into the data input device;

[0008] In a fifth step this TAN or comparable password is transferredagain to the authorization computer;

[0009] In a sixth step the authorization computer checks the validity ofthe TAN or comparable password in order to then

[0010] in a seventh step establish or clear a connection between thedata input device and a receiving unit.

[0011] Furthermore, it is proposed in a prior publication that the TANor comparable password is used only once. The validity of the TAN orcomparable password can be a predefined user time. Furthermore, thevalidity of the TAN or comparable password can be dependent on apredefined number of transmitted data files. The validity of the TAN orcomparable password is dependent on a predefined amount of transmitteddata. Access to the data input device and/or receiver and/or receivingunit is password-protected. The files transferred by the data inputdevice to the receiving unit or vice versa are encrypted. The datatransmitted by the data input device to the authorization computer orvice versa are likewise encrypted. The receiver can be a pager. But itis also possible for the receiver to be a mobile device. Furthermore,making the receiver as a fax is suggested. But the receiver can also bean E-mail or network address. Furthermore, it is possible for thereceiver to be a data output device. Finally it is proposed that aspeech output device be used as a speaker or a telephone be used as thespeech output device. It is also described that the receiver is a radioreceiver which is installed in the data input device and which outputsthe TAN or comparable password on the display or monitor of the datainput device. The radio can have a user identification element, as it isalso possible for the user identification element to be a magnetic cardor chipcard. Finally, it is conceivable for the user identificationelement to be made with graphic means for checking a fingerprint or forimage identification of the user. There are matching encryption modulesin the authorization computer and in the receiver. The receiver unit canhowever also be a door locking mechanism.

[0012] Moreover it is proposed that the authorization computer and thereceiving unit be integrated in one device. The data input device, theauthorization computer and the receiving unit can be made integrated inone device.

[0013] Other known procedures such as “telebanking” and the so-called“call back system” described in DE 197 18 103 A1 will be made morereliable by the described procedure.

[0014] Since the user in the first step sends via the data input devicehis identification and/or the identification character of the data inputdevice together with the request to generate and choose a TAN orcomparable password from a file to the authorization computer, the thirdstep follows which consists specifically in that the authorizationcomputer sends the TAN or comparable password to the receiver viaanother transmission path, in the fourth step the user accepting thisTAN or comparable password from this receiver and inputting it againinto his data input device. Thus two different transmission paths areclaimed. The authenticity of the user which is of great importance forthe service provider is not checked in the process described in DE 19718 103 A1.

[0015] The process described in DE 197 18 103 A1 allows the possibilityof a user providing a false identity with the intent of abuse. Abusepossibilities are the following here:

[0016] 1. A user logs on under a false identity and has the passwordsent to the receiver.

[0017] 2. A user logs on correctly. Due to technical problems thedelivery of the password to the receiver is delayed. In the meantime thereceiver falls into unauthorized hands.

[0018] Since the process is based on a valid password being sent to thereceiver, unauthorized use of service to the detriment of the serviceprovider or third party is immediately possible.

[0019] DE 197 22 424 C1 discloses a process for secure access by a userto a separate system with data stored in a memory device, with thefollowing steps:

[0020] Establishment of a first connection between a firstcommunications means and an access device and transmission of the firstpassword from the first communication means to the access device;

[0021] Comparison of the first password to the first authentication datastored in the access device;

[0022] Establishment of a second connection between a secondcommunications means and an access device and transmission of the secondpassword from the second communication means to the access device;

[0023] Comparison of the second password to the second authenticationdata stored in the access device; and

[0024] Release of access to the system with one or both communicationsmeans in the presence of a given relation between the first and secondpassword with the second authentication data stored in the accessdevice.

[0025] The following steps are also proposed in this connection:

[0026] Transmission of the second or third password from the accessdevice to the first communications means;

[0027] Transmission of the second or third password from the firstcommunications means to the second communications means;

[0028] Transmission of the second or third password from the secondcommunications means to the access device which carries out acorresponding check of the password before access to data is released.

[0029] Furthermore, establishment of a connection between a firstcommunications means and an access device and transmission of the firstpassword from the first communication means to the access device isproposed, comparison of the first password to the first authenticationdata stored in the access device taking place;

[0030] In the presence of a given relation between the first passwordand the authentication data stored in the access device, establishmentof a second connection between the access device and the secondcommunications means and transmission of the second password from theaccess device to the second communication means;

[0031] Transmission of the second password from the secondcommunications means to the first communication means;

[0032] Transmission of the second password from the first communicationmeans to the access device;

[0033] Comparison of the second password to the second authenticationdata stored in the access device; and

[0034] Release of access to the system with one or both communicationsmeans in the presence of a given relation between the second passwordand the second authentication data stored in the access device.

[0035] Moreover, a process is proposed which is characterized byestablishing the first and second connection via communications pathsindependent of one another, a data processing device being used as thefirst or second communications means, and the connection between thedata processing means and the access device being set up via a dataprocessing device network. An internet can be used for the connectionbetween the access device and the data processing device. A telephonecan be used as the first or second communications means, the connectionbetween the telephone and access device being established via thetelephone network. A mobile phone can be used as a communicationsdevice. The first or second password can be transferred by pressing acall request key or at least one other key of the telephone. The systemcan be a GSM network and the memory device can be a home locationregister in which subscriber-referenced data are stored. At least one ofthe passwords can be produced in the access device or elsewhere and canbe valid for only one access session. Furthermore it is proposed that atleast one of the passwords be generated using a subscriberidentification and the current time or date. One of the passwords can beused for data encryption and for data transmission between the first andsecond communications means and the access device. After release of dataaccess at least one additional password can be transmitted from one ofthe communication means to the access device in order to clear expandedaccess to the system or to other data stored in the memory device. Asthe device a system with connected access devices can be used, with adata processing device, via a data processing network, to which theaccess device can be connected, using a permanently connected telephone,with a mobile telephone which can be connected via a fixed network ormobile network to the access device.

[0036] This device produces different passwords in a very complicatedmanner; they are sent via separate communications means.

[0037] WO 95/19593 discloses a computer security system in which thesystem produces case by case a code A which is transformed, and producesa code B, even a third code being generated which is to be compared tothe second code and access is only released when the second and thirdcode agree.

Object

[0038] The object of the invention is to devise a process for release ofaccess authorization based on checking the authenticity of the identityof a service user according to the assumed type. The process is intendedto allow the service provider the security of releasing accessauthorization for service users whose authenticity has been checked.

[0039] Furthermore, the object of the invention is to devise anadvantageous device for executing the process as claimed in theinvention.

Achieving the Object Relating to the Process

[0040] This object is achieved by the features listed in claim 1.

Some Advantages

[0041] In contrast to DE 197 18 103 A1, in the invention theidentification is sent to the service provider via only one for examplesecure connection, while the provider sends back the initially stillinvalid password or the like to the user via the same connection.

[0042] The process can be used when access authorization for the use ofa service is to be released by the service provider only if beforehandthe authenticity of the identity of the service user has been checkedwith high certainty. Checking the authenticity of the identity of theservice user and linking the release of the access identificationcharacter to this check greatly reduce the possibility of abuse byproviding a false identity.

[0043] Misuse is only possible when the terminal device at the time ofregistration is already in the possession of an authorized party.

Other Inventive Embodiments

[0044] Other inventive embodiments are described in claims 2 to 8.

[0045] Limitation of the time interval in which the initially invalidpassword can be used in order to authenticate the service user furtherincreases security by forcing the service user to authenticate himselfin the indicated time interval. Authentication after expiration of thetime interval is not possible, the service user must re-register in thiscase and then receives a new invalid password—claim 2.

[0046] After the service user has been successfully authenticated andthe password has been released to him by the service provider, it willbe possible for the service user to change the password at will—claim 3.

[0047] To increase security, there is the option of limiting use of thevalid password such that the password remains valid for only apredetermined number of uses. When this number is reached, the passwordis automatically invalidated. Validity is only re-established by theservice user again authenticating himself using the process described inclaim 1-claim 4.

[0048] Encryption offers the service user the advantage that hispersonal data, for example bank account, credit card number and thelike, are not intercepted without authorization by third parties—claim5.

[0049] Encryption offers the service user the advantage that the invalidpassword and other information of the registration server are notintercepted without authorization by third parties—claim 6.

[0050] The GSM standard has high-security methods for ensuring theauthenticity of a mobile user. Therefore the transmission of data fromthe terminal device to the message converter is well suited—claim 7.

[0051] To establish identity in the ISDN the so-called “calling lineidentification” can be used which, according to the prior art, is alsoused for other purposes as an identity feature—claim 8.

Achieving the Object Relating to the Device

[0052] This object is achieved by the features described in claim 9.

Some Advantages

[0053] When the process as claimed in claim 9 is used in a mobilenetwork, the following advantages arise for the service user and networkoperator.

[0054] A mobile customer (service user) has a contract with the mobilenetwork operator (service provider) which makes it possible to pay theaccruing charges by bank collection by the mobile network operator. Whenthe mobile customer decides to use an Internet service which is likewiseoffered by the mobile network operator, he must be registered for thisservice. After registration, the customer will be able to use theservice using the access authorization. The use of the service islikewise settled by bank collection. In conjunction with the existingbank collection authorization, to protect the mobile customer and themobile network operator, it is important to guarantee the authenticityof the identity of the registering service user to preclude abuse. Theuse of an ISDN network instead of a mobile network allows the sameadvantage.

[0055] The drawings show the invention, in part schematically, on oneembodiment.

[0056] Reference number 1 labels a data input terminal as the firstterminal device which is made here as a PC, while overall referencenumber 2 labels a service provider which comprises a registration server3 and a short message service center as the message converter 4.

[0057] Reference number 5 labels a second terminal device which is madehere as a mobile phone.

[0058] The data input terminal 1 as the first terminal device and thesecond terminal device 5 are both registered for the service user 6 atthe service provider 2. This therefore means that the service provider 2knows the personal data of the service user 6. Thus the terminal device1 and the terminal device 5 are normally in the possession of the sameservice user 6.

[0059] The data input terminal 1 can be connected via a secureconnection 7, for example a secure socket layer, to the registrationserver 3 of the service provider 2, while the second terminal device 5can be connected to the message converter 4 via a connection 8, forexample via a GSM mobile network or via ISDN or SUS.

[0060] The procedure is as follows:

[0061] Step 1:

[0062] The service user 6 connects via the first terminal device 1,therefore via the data input terminal 1, via the secure connection 7 tothe registration server 3 which knows the personal data of the serviceuser 6.

[0063] Step 2:

[0064] The registration server 3 transfers a still invalid password(identification number, TAN or the like) to the service user 6 to hisdata input terminal 1 via the same connection 7.

[0065] Step 3:

[0066] The service user 6 reads the password, the identification number,TAN or the like on his terminal device 1.

[0067] Step 4:

[0068] The service user 6 sends the password, identification number orthe like which has been read according to step 3, via his secondterminal device 5 over the connection 8, for example via a GSM mobilenetwork, to the message converter 4.

[0069] Step 5:

[0070] The service provider 2 checks the password, the identificationcharacter or the like which has been sent over the connection 7 to thedata input terminal 1 with the password or the like which has beenreceived via the connection 8 from the service user 6. When they agree,the password, the identification character or the like becomes valid andthe service user 6 can claim the service of the service provider 2, forexample, on the Internet.

[0071] The registration server 3 and the message converter 4 can bespatially combined.

[0072] Furthermore, it is possible for the data input terminal 1 torelay the password, identification character or the like which has beenreceived over the line 7 from the registration server 3 automaticallyvia a second terminal device 5 and thus via the connection 8 to themessage converter 4.

[0073] The features described in the abstract, in the claims, and in thespecification and shown in the drawings can be significant for theimplementation of the invention individually and also in anycombinations.

Reference Number List

[0074] 1 data input terminal, terminal device 1, PC 2 service provider 3registration server 4 short message service center, message converter 5terminal device, second; mobile device; data input terminal 6 serviceuser 7 connection, secure 8 connection; GSM mobile network; ISDN; SUSTAN transaction number

Literature

[0075] DE 197 18 103 A1

[0076] DE 197 22 424 C1

[0077] WO 95/19593 A1

1. Process for establishing the authenticity of the identity of aservice user (6) relative to the service provider (2) for release of anaccess authorization (password) for a service using two different datainput terminals (1, 5), a registration server (3) and a messageconverter (4), a) from the service user (6) in a first step over asecure connection (7), for example in the Internet, via the data inputterminal (1) a connection being established to the registration server(3) of the service provider (2), with the request to transfer an accessidentification character (password; TAN); b) whereupon in second stepthe registration server (3) on the same transmission path (7) as undera) an invalid password (identification character; TAN) is sent to thedata input terminal (1) of the registered service user (6) [sic]; c)whereupon the service user (6) inputs the invalid password which hasbeen sent to the data input terminal (1) into a second terminal device(5) (mobile device; fixed network device) which is different from thedata input terminal (1) and which is registered for the same serviceuser (6) according to a) in the registration server (3); d) whereuponthis invalid password or the like is sent from this second terminaldevice (5) over a transmission path (8) which is different from thetransmission path mentioned under item a) and b) to a message converter(4) of the service provider (2); e) and that the message converter (4)together with the registration server (3) compares the invalid passwordor the like which has been sent back to the password sent to the datainput terminal (1) and when the authorization data of the service user(6) for the data input terminal (1) and for the second terminal device(5) which is different from it are the same the password is released asvalid.
 2. Process as claimed in claim 1, wherein the identificationcharacter (password; TAN) is used only for a predetermined time intervalto establish authenticity.
 3. Process as claimed in claim 1 or 2,wherein the identification character (password; TAN) can be changed atany time by the service user (6) after release of the password. 4.Process as claimed in claim 1 or one of the following claims, whereinthe identification character is invalidated by the service provider (2)after a predetermined number of uses.
 5. Process as claimed in claim 1or one of the following claims, wherein the data transferred from thedata input terminal (1) to the registration server (3) are encrypted. 6.Process as claimed in claim 1 or one of the following claims, whereinthe data sent back from the registration server (3) to the data inputterminal (1) are encrypted.
 7. Process as claimed in claim 1 or one ofthe following claims, wherein the data transferred from the secondterminal device (5) to the message converter (4) are transferredaccording to GSM/SMS standard to the message converter (4).
 8. Processas claimed in claim 1 or one of the following claims, wherein the datatransferred from the second terminal device (5) to the message converter(4) are transferred via ISDN.
 9. Device for executing the process asclaimed in claim 1 or one of the following claims, with a data inputterminal (1), a registration server (3) and a message converter (4),wherein the data input terminal (1) is a PC, the second terminal device(5) is a mobile device, the connection (7) between the PC (1) and theregistration server (3) is a secure Internet connection over the securesocket layer or the like and the connection between the mobile device(5) and the message converter (4) is a mobile connection in the GSMnetwork or the like.